remcos | a1006ea95956818636f6055742bf639336ad2474f5a86969ed898d28b22689fb

General

Target

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Size

36KB
MD5

4b87597d2dc22a3047eab8addc09ecf0
SHA1

6fafadeca6663b3dc30aa290e3e592d05c1906bc
SHA256

a1006ea95956818636f6055742bf639336ad2474f5a86969ed898d28b22689fb
SHA512

b5a18cd744b2823c5c0a460256052b3490f730d38c724b7471ad5122e64a7a1ab94a72e711a0c2bde7e66ef2a05699fde634138e80535c8a8080d84cecdb335f
SSDEEP

384:PE2q5PHyMV9jmhOludWkhI73XcbbZQ2cRbQom8kR3bh9zRvgzTc9fpGnefzwGDsC:A5PHyCjmhFdWfLubuZ1kvIaEekM2Wr1

Score

10^/10

remcos hot evasion persistence rat trojan upx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Hot

C2

xfxf.ddns.net:2404

xfxf.ddns.net:2525

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
svhost2.exe
copy_folder
svhosting
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
true
mutex
remcos_xrieusffqh
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
svhost2
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exesvhost2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	svhost2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	svhost2.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exesvhost2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svhost2.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exesvhost2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svhost2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	svhost2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

svhost2.exe

pid process

2376 svhost2.exe

pid	process
2376	svhost2.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4428-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4428-7-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svhosting\svhost2.exe	upx
behavioral2/memory/2376-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-14-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-15-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-16-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-18-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-19-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-21-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-22-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-24-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-25-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2376-26-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exesvhost2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	svhost2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svhost2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhosting\\svhost2.exe\""	svhost2.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exesvhost2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	svhost2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4896 reg.exe
4748 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4272 PING.EXE

pid	process
4896	reg.exe
4748	reg.exe

pid	process
4272	PING.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.execmd.execmd.exesvhost2.execmd.exe

description	pid	process	target process
PID 4428 wrote to memory of 1668	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 4428 wrote to memory of 1668	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 4428 wrote to memory of 1668	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4896	1668	cmd.exe	reg.exe
PID 1668 wrote to memory of 4896	1668	cmd.exe	reg.exe
PID 1668 wrote to memory of 4896	1668	cmd.exe	reg.exe
PID 4428 wrote to memory of 3936	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 4428 wrote to memory of 3936	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 4428 wrote to memory of 3936	4428	4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe	cmd.exe
PID 3936 wrote to memory of 4272	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 4272	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 4272	3936	cmd.exe	PING.EXE
PID 3936 wrote to memory of 2376	3936	cmd.exe	svhost2.exe
PID 3936 wrote to memory of 2376	3936	cmd.exe	svhost2.exe
PID 3936 wrote to memory of 2376	3936	cmd.exe	svhost2.exe
PID 2376 wrote to memory of 3844	2376	svhost2.exe	cmd.exe
PID 2376 wrote to memory of 3844	2376	svhost2.exe	cmd.exe
PID 2376 wrote to memory of 3844	2376	svhost2.exe	cmd.exe
PID 3844 wrote to memory of 4748	3844	cmd.exe	reg.exe
PID 3844 wrote to memory of 4748	3844	cmd.exe	reg.exe
PID 3844 wrote to memory of 4748	3844	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b87597d2dc22a3047eab8addc09ecf0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4272
- - C:\Users\Admin\AppData\Roaming\svhosting\svhost2.exe
    "C:\Users\Admin\AppData\Roaming\svhosting\svhost2.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
103B

MD5
9e8766835d9dc0aa88568ffe1babf362

SHA1
8ac7dd7c8d3200b709091e184f2f1abda2d004a9

SHA256
346b87bbf0ac594f56a67ba755f7a5bcfc503cf03f13a18ac81990318e45ca5e

SHA512
6ddb35f21ecf48a92b7fbb49e916431ed5778f1f7fa9e708cd97a44eac815c6a35572e3df134c31de2110fa5e7b9754a75f8e2de53f466cf656d6fe52a814ad2

Download Submit
C:\Users\Admin\AppData\Roaming\svhosting\svhost2.exe

Filesize
36KB

MD5
4b87597d2dc22a3047eab8addc09ecf0

SHA1
6fafadeca6663b3dc30aa290e3e592d05c1906bc

SHA256
a1006ea95956818636f6055742bf639336ad2474f5a86969ed898d28b22689fb

SHA512
b5a18cd744b2823c5c0a460256052b3490f730d38c724b7471ad5122e64a7a1ab94a72e711a0c2bde7e66ef2a05699fde634138e80535c8a8080d84cecdb335f

Download Submit
memory/2376-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads